Cryptographic identification and digital signature method using efficient elliptic curve

ABSTRACT

A method of identifying user, generating digital signature, and verifying digital signature by selecting a modulus p in the form of p=(2 dk −2 ck −1)/r; p=(2 dk −2 (d−1)k +2 (d−2)k −. . . −2 k +1)/r; p=(2 dk −2 ck −1)/r; p=(2 dk −2 ck +1)/r; and p=(2 4k −2 3k +2 2k +1)/r; selecting an elliptic curve E and an order q; selecting a basepoint G; generating a private key w; generating a public key W=wG; distributing p, E, q, G, and W; retrieving a prover&#39;s private key w; retrieving the prover&#39;s public key W; generating a private integer k; combining k and the prover&#39;s G to form K using the prover&#39;s modulus p; sending K to the verifier; sending a challenge integer c to prover; combining c, k, and w to form a response integer v; sending v to the verifier; combining cG, K, and W using the prover&#39;s modulus p and checking to see if the combination is equal to vG. If not so, stop. Otherwise, retrieving the signer&#39;s private key w; generating a private integer k; combining k and G to form K using the prover&#39;s modulus p; combining K and a message M to form an integer h; combining h, k, and w to form an integer s; sending M and (K,s) as a digital signature of M; retrieving the prover&#39;s public key W. receiving M and (K,s); combining K and M to form an integer h; and combining h, k, and W using the prover&#39;s modulus p and checking to see if the combination is equal to sG. If so, the digital signature is verified.

[0001] This application claims the benefit of U.S. ProvisionalApplication No. 60/226,209, filed Aug. 18, 2000.

FIELD OF THE INVENTION

[0002] The present invention relates, in general, to cryptography and,in particular, to public key cryptography.

BACKGROUND OF THE INVENTION

[0003] Cryptography provides methods of providing privacy andauthenticity for remote communications and data storage. Privacy isachieved by encryption of data, usually using the techniques ofsymmetric cryptography (so called because the same mathematical key isused to encrypt and decrypt the data). Authenticity is achieved by thefunctions of user identification, data integrity, and messagenon-repudiation. These are best achieved via asymmetric (or public-key)cryptography.

[0004] In particular, public-key cryptography enables encryptedcommunication between users that have not previously established ashared secret key between them. This is most often done using acombination of symmetric and asymmetric cryptography: public-keytechniques are used to establish user identity and a common symmetrickey, and a symmetric encryption algorithm is used for the encryption anddecryption of the actual messages. The former operation is called keyagreement. Prior establishment is necessary in symmetric cryptography,which uses algorithms for which the same key is used to encrypt anddecrypt a message. Public-key cryptography, in contrast, is based on keypairs. A key pair consists of a private key and a public key. As thenames imply, the private key is kept private by its owner, while thepublic key is made public (and typically associated to its owner in anauthenticated manner). In asymmetric encryption, the encryption step isperformed using the public key, and decryption using the private key.Thus the encrypted message can be sent along an insecure channel withthe assurance that only the intended recipient can decrypt it.

[0005] The key agreement can be interactive (e.g., for encrypting atelephone conversation) or non-interactive (e.g., for electronic mail).

[0006] User identification is most easily achieved using what are calledidentification protocols. A related technique, that of digitalsignatures, provides data integrity and message non-repudiation inaddition to user identification.

[0007] The use of cryptographic key pairs was disclosed in U.S. Pat. No.4,200,770, entitled “CRYPTOGRAPHIC APPARATUS AND METHOD.” U.S. Pat. No.4,200,770 also disclosed the application of key pairs to the problem ofkey agreement over an insecure communication channel. The algorithmsspecified in this U.S. Pat. No. 4,200,700 rely for their security on thedifficulty of the mathematical problem of finding a discrete logarithm.U.S. Pat. No. 4,200,770 is hereby incorporated by reference into thespecification of the present invention.

[0008] In order to undermine the security of a discrete-logarithm basedcryptoalgorithm, an adversary must be able to perform the inverse ofmodular exponentiation (i.e., a discrete logarithm). There aremathematical methods for finding a discrete logarithm (e.g., the NumberField Sieve), but these algorithms cannot be done in any reasonable timeusing sophisticated computers if certain conditions are met in thespecification of the cryptoalgorithm.

[0009] In particular, it is necessary that the numbers involved be largeenough. The larger the numbers used, the more time and computing poweris required to find the discrete logarithm and break the cryptography.On the other hand, very large numbers lead to very long public keys andtransmissions of cryptographic data. The use of very large numbers alsorequires large amounts of time and computational power in order toperform the cryptoalgorithm. Thus, cryptographers are always looking forways to minimize the size of the numbers involved, and the time andpower required, in performing the authentication algorithms. The payofffor finding such a method is that cryptography can be done faster,cheaper, and in devices that do not have large amounts of computationalpower (e.g., hand-held smart-cards).

[0010] A discrete-logarithm based cryptoalgorithm can be performed inany mathematical setting in which certain algebraic rules hold true. Inmathematical language, the setting must be a finite cyclic group. Thechoice of the group is critical in a cryptographic system. The discretelogarithm problem may be more difficult in one group than in another forwhich the numbers are of comparable size. The more difficult thediscrete logarithm problem, the smaller the numbers that are required toimplement the cryptoalgorithm. Working with smaller numbers is easierand faster than working with larger numbers. Using small numbers allowsthe cryptographic system to be higher performing (i.e., faster) andrequires less storage. So, by choosing the right kind of group, a usermay be able to work with smaller numbers, make a faster cryptographicsystem, and get the same, or better, cryptographic strength than fromanother cryptographic system that uses larger numbers.

[0011] The groups which were envisioned in the above-named patents comefrom a setting called finite fields. A book by N. Koblitz, “A Course inNumber Theory and Cryptography,” (1987), and a paper by V. Miller, “Useof elliptic curves in cryptography,” Advances in Cryptology—CRYPTO 85,LNCS 218, pp. 417-426, 1986, disclose the method of adaptingdiscrete-logarithm based algorithms to the setting of elliptic curves.It appears that finding discrete logarithms in this kind of group isparticularly difficult. Thus elliptic curve-based cryptoalgorithms canbe implemented using much smaller numbers than in a finite-field settingof comparable cryptographic strength. Thus the use of elliptic curvecryptography is an improvement over finite-field based public-keycryptography.

[0012] There are several kinds of elliptic curve settings. Thesesettings have comparable cryptographic strength and use numbers ofcomparable size. However, these settings differ in the amount ofcomputation time required when implementing a cryptoalgorithm.Cryptographers seek the fastest kind of elliptic curve basedcryptoalgorithms.

[0013] More precisely, an elliptic curve is defined over a field F. Anelliptic curve is the set of all ordered pairs (x, y) that satisfy aparticular cubic equation over a field F, where x and y are each membersof the field F. Each ordered pair is called a point on the ellipticcurve. In addition to these points, there is another point O called thepoint at infinity. The infinity point is the additive identity (i.e.,the infinity point plus any other point results in that other point).For cryptographic purposes, elliptic curves are typically chosen with Fas the integers mod p for some large prime number p (i.e., Fp) or as thefield of 2^ m elements.

[0014] To carry out an elliptic curve-based key agreement procedure, itis necessary to perform a sequence of operations involving points on thecurve and the equation of the curve. Each of these operations is carriedout via arithmetic operations in the field F, namely addition,subtraction, multiplication, and division. If F is the set of integersmod p, then the simplest and most common way to carry out the arithmeticoperations is to use ordinary integer arithmetic along with the processof reduction modulo p. This last process is called modular reduction.

[0015] Modular reduction is the most expensive part of the arithmeticoperations in the field Fp. Therefore, the efficiency of an ellipticcurve algorithm is enhanced when the cost of modular reduction isreduced. There are two common ways of doing this.

[0016] The first way is to avoid explicit modular reduction altogetherby using an alternative method of carrying out the arithmetic operationsin the field Fp. This was first proposed by P. Montgomery in the paper“Modular multiplication without trial division,” Mathematics ofComputation, 44 (1985), pp. 519-521. This method has the advantage thatit can be applied to both elliptic and non-elliptic cryptoalgorithms.

[0017] The second way is to choose the prime modulus p in such a waythat modular reduction is particularly easy and efficient. This approachyields faster elliptic curve algorithms than the first approach, butdoes not apply to non-elliptic cryptoalgorithms.

[0018] More specifically, suppose that one needs to reduce an integer bmodulo p. Typically, b is a positive integer less than the square of themodulus p. In the general case, the best way to reduce b modulo p is todivide b by p; the result is a quotient and a remainder. The remainderis the desired quantity. The division step is the most expensive part ofthis process. Thus the prime modulus p is chosen to avoid the necessityof carrying out the division.

[0019] The simplest and best-known choice is to let p be one less than apower of two. Such primes are commonly called Mersenne primes. Becauseof the special form of a Mersenne prime p, it is possible to replace thedivision step of the modular reduction process by a single modularaddition. A modular addition can be carried out using one or two integeradditions, and so is much faster than an integer division. As a result,reduction modulo a Mersenne prime is much faster than in the generalcase.

[0020] A larger class of primes which contains the Mersenne primes as aspecial case is the class of pseudo-Mersenne primes. These include theCrandall primes and the Gallot primes. The Crandall primes are those ofthe form 2^ m±C, where C is an integer less than 2^ 32 in absolutevalue. The Gallot primes are of the form k*2^ m±C, where both k and Care relatively small.

[0021] U.S. Pat. No. 5,159,632, entitled “METHOD AND APPARATUS FORPUBLIC KEY EXCHANGE IN A CRYPTOGRAPHIC SYSTEM”; U.S. Pat. No. 5,271,061,entitled “METHOD AND APPARATUS FOR PUBLIC KEY EXCHANGE IN ACRYPTOGRAPHIC SYSTEM”; U.S. Pat. No. 5,463,690, entitled “METHOD ANDAPPARATUS FOR PUBLIC KEY EXCHANGE IN A CRYPTOGRAPHIC SYSTEM”; U.S. Pat.No. 5,581,616, entitled “METHOD AND APPARATUS FOR DIGITAL SIGNATUREAUTHENTICATION”; U.S. Pat. No. 5,805,703, entitled “METHOD AND APPARATUSFOR DIGITAL SIGNATURE AUTHENTICATION”; and U.S. Pat. No. 6,049,610,entitled “METHOD AND APPARATUS FOR DIGITAL SIGNATURE AUTHENTICATION”;each disclose the use of a class of numbers in the form of 2^ q-C whichmake modular reduction more efficient and. therefore, make cryptographicmethods such as key exchange and digital signatures more efficient. Thepresent invention does not use a class of numbers in the form of 2^ q-C.U.S. Pat. Nos. 5,159,632; 5,271,061; 5,463,690; 5,581,616; 5,805,703;and 6,049,610 are hereby incorporated by reference into thespecification of the present invention.

[0022] Federal Information Processing Standards Publication 186-2 (i.e.,FIPS PUB 186-2) discloses a digital signature standard. In the appendixof FIPS PUB 186-2 are recommended elliptic curves for a 192-bit, a224-bit, a 256-bit, a 384-bit, and a 521-bit digital signature. Theelliptic curves disclosed in FIPS PUB 186-2 are different from theelliptic curves used in the present invention.

SUMMARY OF THE INVENTION

[0023] It is an object of the present invention to efficiently create adigital signature using a modulus p selected from the following familiesof equations:

p=(2^(dk)−2^(ck)−1)/r,

[0024] where 0<2c<=d, where r/=1, and where GCD(c,d)=1, where GCD is afunction that returns the greatest common denominator between thevariables in parenthesis;

p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r,

[0025] where d is even, and where k is not equal to 2 (mod 4);

p=(2^(dk)−2^(ck)−1)/r,

[0026] where 3d<6c<4d, and where GCD(c,d)=1;

p=(2^(dk)−2^(ck)+1)/r,

[0027] where 0<2c<=d, where r/=1, and where GCD(c,d)=1; and

p=(2^(4k)−2^(3k)+2^(2k)+1)/r.

[0028] The first step through sixth step are done by each user whowishes to have its message digitally signed. The first step is selectinga modulus p from the following family of equations:

p=(2^(dk)−2^(ck)−1)/r,

[0029] where 0<2c<=d, where r/=1, and where GCD(c,d)=1;

p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r,

[0030] where d is even, and where k is not equal to 2 (mod 4);

p=(2^(dk)−2^(ck)−1)/r,

[0031] where 3d<6c<4d, and where GCD(c,d)=1;

p=(2^(dk)−2^(ck)+1)/r,

[0032] where 0<2c<=d, where r/=1, and where GCD(c,d)=1; and

p=(2^(4k)−2^(3k)+2^(2k)+1)/r.

[0033] The second step is selecting an elliptic curve E and an order q.

[0034] The third step is selecting a basepoint G.

[0035] The fourth step is generating a private key w.

[0036] The fifth step is generating a public key W=wG.

[0037] The sixth step is distributing p, E, q, G, and W in an authenticmanner.

[0038] The seventh step through fifteenth step are done to identity theuser who wishes to have a message digitally signed. The seventh step isa prover retrieving its private key w.

[0039] The eighth step is a verifier retrieving the prover's public keyW.

[0040] The ninth step is the prover generating a private integer k.

[0041] The tenth step is the prover combining k and prover's G to form Kusing the form of the prover's modulus p.

[0042] The eleventh step is the prover sending K to the verifier.

[0043] The twelfth step is the verifier sending a challenge integer c toprover.

[0044] The thirteenth step is the prover combining c, k, and w to form aresponse integer v.

[0045] The fourteenth step is the prover sending v to the verifier.

[0046] The fifteenth step is the verifier combining cG, K, and W usingthe form of the prover's modulus p and checking to see if thecombination is equal to vG. If the combination is equal to vG then theprover is properly identified. Otherwise, the prover is not properlyidentified.

[0047] The sixteenth step through the twenty-first step are done by theperson digitally signing a message. The sixteenth step is a signerretrieving its private key w.

[0048] The seventeenth step is the signer generating a private integerk.

[0049] The eighteenth step is the signer combining k and G to form Kusing the form of the prover's modulus p.

[0050] The nineteenth step is the signer combining K and a message M toform an integer h.

[0051] The twentieth step is the signer combining h, k, and w to form aninteger s.

[0052] The twenty-first step is the signer sending the message M and thedigital signature (K,s) of M.

[0053] The twenty-second step through the twenty-fifth step are done bythe person verifying the digital signature. The twenty-second step isthe verifier retrieving the prover's public key W.

[0054] The twenty-third step is the verifier receiving M and (K,s).

[0055] The twenty-fourth step is the verifier combining K and M to forman integer h.

[0056] The twenty-fifth step is the verifier combining h, k, and W usingthe form of the prover's modulus p and checking to see if thecombination is equal to sG. If so, then the digital signature isverified. Otherwise, the digital signature is not verified.

[0057] The twenty-sixth step through the thirty-first step arealternative steps for digitally signing a message. The twenty-sixth stepis a signer retrieving its private key w.

[0058] The twenty-seventh step is the signer generating a privateinteger k.

[0059] The twenty-eighth step is the signer combining k and G to form Kusing the form of the prover's modulus p.

[0060] The twenty-ninth step is the signer combining K and a message Mto form an integer h.

[0061] The thirtieth step is the signer combining h, k, and w to form aninteger s.

[0062] The thirty-second step through thirty-sixth steps are alternativesteps for verifying the digital signature of the alternative signingsteps. The thirty-first step is the signer sending the message M and thedigital signature (h,s) of M.

[0063] The thirty-second step is the verifier retrieving the prover'spublic key W.

[0064] The thirty-third step is the verifier receiving M and (h,s).

[0065] The thirty-fourth step is the verifier combining h, W, and sGusing the form of the prover's modulus p to form K.

[0066] The thirty-fifth step is the verifier combining K and M to forman integer h′.

[0067] The thirty-sixth step is the verifier checking to see if h isequal to h′. If so, then the digital signature is verified. Otherwise,the digital signature is not verified.

BRIEF DESCRIPTION OF THE DRAWINGS

[0068]FIG. 1 is a list of steps that must be done by each user;

[0069]FIG. 2 is a list of steps for identifying a user;

[0070]FIG. 3 is a list of steps for signing a digital signature;

[0071]FIG. 4 is a list of steps for verifying a digital signature ofFIG. 3;

[0072]FIG. 5 is a list of alternate steps for signing a digitalsignature; and

[0073]FIG. 6 is a list of alternate steps for verifying a digitalsignature of FIG. 5.

DETAILED DESCRIPTION

[0074] The present invention is a method of identifying a user,generating a digital signature for a message of the user, and verifyingthe digital signature in an efficient manner (i.e., in fewer steps thanthe prior art) using a modulus p selected from the following family ofequations:

p=(2^(dk)−2^(ck)−1)/r,

[0075] where 0<2c<=d, where r/=1, and where GCD(c,d)=1;

p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r,

[0076] where d is even, and where k is not equal to 2 (mod 4);

p=(2^(dk)−2^(ck)−1)/r,

[0077] where 3d<6c<4d, and where GCD(c,d)=1;

p=(2^(dk)−2^(ck)+1)/r,

[0078] where 0<2c<=d, where r/=1, and where GCD(c,d)=1; and

p=(2^(4k)−2^(3k)+2^(2k)+1)/r.

[0079] It has long been known that certain integers are particularlywell suited for modular reduction. The best known examples are theMersenne numbers p=2^(k)−1. In this case, the integers (mod p) arerepresented as k-bit integers. When performing modular multiplication,one carries out an integer multiplication followed by a modularreduction. One thus has the problem of reducing modulo p a 2k-bitnumber. Modular reduction is usually done by integer division, but thisis unnecessary in the Mersenne case. Let n<p² be the integer to bereduced (mod p). Let T be the integer represented by the k mostsignificant bits of n, and U the k least significant bits; thus

n=2^(k) T+U,

[0080] with T and U each being k-bit integers. Then

n=T+U(modp).

[0081] Thus, the integer division by m can be replaced by an addition(mod p), which is much faster.

[0082] The main limitation on this scheme is the special multiplicativestructure of Mersenne numbers. The above technique is useful only whenone intends to perform modular arithmetic with a fixed long-termmodulus. For most applications of this kind, the modulus needs to have aspecific multiplicative structure, most commonly a prime number. Theabove scheme proves most useful when k is a multiple of the word size ofthe machine. Since this word size is typically a power of 2, one mustchoose k which is highly composite. Unfortunately, the Mersenne numbersarising from such k are never prime numbers. It is, therefore, ofinterest to find other families of numbers that contain prime numbers oralmost prime numbers.

[0083] One such family is 2^(k)−c, for c positive, which is disclosed inU.S. Pat. Nos. 5,159,632; 5,271,061; 5,463,690; 5,581,616; 5,805,703;and 6,049,610 listed above. The present invention discloses the use ofother families of numbers.

[0084]FIG. 1 is a list of steps that must be done by each user of thepresent invention.

[0085] The first step 1 of the present method is selecting a modulus pfrom the following family of equations:

p=(2^(dk)−2^(ck)−1)/r,

[0086] where 0<2c<=d, where r/=1, and where GCD(c,d)=1;

p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r,

[0087] where d is even, and where k is not equal to 2 (mod 4);

p=(2^(dk)−2^(ck)−1)/r,

[0088] where 3d<6c<4d, and where GCD(c,d)=1;

p=(2^(dk)−2^(ck)+1)/r,

[0089] where 0<2c<=d, where r/=1, and where GCD(c,d)=1; and

p=(2^(4k)−2^(3k)+2^(2k)+1)/r.

[0090] The second step 2 of the present method is selecting an ellipticcurve E and an order q.

[0091] The third step 3 of the present method is selecting a basepointG.

[0092] The fourth step 4 of the present method is generating a privatekey w.

[0093] The fifth step 5 of the present method is generating a public keyW=wG.

[0094] The sixth step 6 of the present method is distributing p, E, q,G, and W in an authentic manner (e.g., courier, secure channel, etc.).

[0095]FIG. 2 lists the steps for identifying a user.

[0096] The seventh step 7 of the method is a prover retrieving itsprivate key w.

[0097] The eighth step 8 of the present method is a verifier retrievingthe prover's public key W.

[0098] The ninth step 9 of the present method is the prover generating aprivate integer k.

[0099] The tenth step 10 of the present method is the prover combining kand prover's G to form K using the form of the prover's modulus p.

[0100] The eleventh step 11 of the present method is the prover sendingK to the verifier.

[0101] The twelfth step 12 of the present method is the verifier sendinga challenge integer c to prover.

[0102] The thirteenth step 13 of the present method is the provercombining c, k, and w to form a response integer v.

[0103] The fourteenth step 14 of the present method is the proversending v to the verifier.

[0104] The fifteenth step 15 of the present method is the verifiercombining cG, K, and W using the form of the prover's modulus p andchecking to see if the combination is equal to vG. If the combination isequal to vG then the prover is properly identified. Otherwise, theprover is not properly identified.

[0105]FIG. 3 is a list of steps for signing a digital signature.

[0106] The sixteenth step 16 of the present method is a signerretrieving its private key w.

[0107] The seventeenth step 17 of the present method is the signergenerating a private integer k.

[0108] The eighteenth step 18 of the present method is the signercombining k and G to form K using the form of the signer's modulus p.

[0109] The nineteenth step 19 of the present method is the signercombining K and a message M to form an integer h.

[0110] The twentieth step 20 of the present method is the signercombining h, k, and w to form an integer s.

[0111] The twenty-first step 21 of the present method is the signersending the message M and the digital signature (K,s) of M.

[0112]FIG. 4 is a list of steps for verifying the digital signaturegenerated by the steps of FIG. 3.

[0113] The twenty-second step 22 of the present method is the verifierretrieving the prover's public key W.

[0114] The twenty-third step 23 of the present method is the verifierreceiving M and (K,s).

[0115] The twenty-fourth step 24 of the present method is the verifiercombining K and M to form an integer h.

[0116] The twenty-fifth step 25 of the present method is the verifiercombining h, k, and W using the form of the prover's modulus p andchecking to see if the combination is equal to sG. If so, then thedigital signature is verified. Otherwise, the digital signature is notverified.

[0117]FIG. 5 is a list of alternate steps for signing a digitalsignature.

[0118] The twenty-sixth step 26 of the present method is a signerretrieving its private key w.

[0119] The twenty-seventh step 27 of the present method is the signergenerating a private integer k.

[0120] The twenty-eighth step 28 of the present method is the signercombining k and G to form K using the form of the signer's modulus p.

[0121] The twenty-ninth step 29 of the present method is the signercombining K and a message M to form an integer h.

[0122] The thirtieth step 30 of the present method is the signercombining h, k, and w to form an integer s.

[0123] The thirty-first step 31 of the present method is the signersending the message M and the digital signature (h,s) of M.

[0124]FIG. 6 is a list of alternate steps for verifying the digitalsignature generated by the steps of FIG. 5.

[0125] The thirty-second step 32 of the present method is the verifierretrieving the prover's public key W.

[0126] The thirty-third step 33 of the present method is the verifierreceiving M and (h,s).

[0127] The thirty-fourth step 34 of the present method is the verifiercombining h, W, and sG using the form of the prover's modulus p to formK.

[0128] The thirty-fifth step 35 of the present method is the verifiercombining K and M to form an integer h′.

[0129] The thirty-sixth step 36 of the present method is the verifierchecking to see if h is equal to h′. If so, then the digital signatureis verified. Otherwise, the digital signature is not verified.

What is claimed is:
 1. A method of identifying a user, comprising thesteps of: a) selecting a modulus p from the group of equationsconsisting of: p=(2^(dk)−2^(ck)−1)/r, where 0<2c<=d, where r/=1, andwhere GCD(c,d)=1; p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r,where d is even, and where k is not equal to 2 (mod 4);p=(2^(dk)−2^(ck)−1)/r, where 3d<6c<4d, and where GCD(c,d)=1;p=(2^(dk)−2^(ck)+1)/r, where 0<2c<=d, where r/1, and where GCD(c,d)=1;and p=(2^(4k)−2^(3k)+2^(2k)+1)/r; b) selecting an elliptic curve E andan order q; c) selecting a basepoint C; d) generating a private key w;e) generating a public key W=wG; f) distributing p, E, q, G, and W in anauthentic manner; g) retrieving, by a prover, the prover's private keyw; h) retrieving, by a verifier, the prover's public key W; i)generating, by the prover, a private integer k; j) combining, by theprover, k and the prover's G to form K using the form of the prover'smodulus p; k) sending, by the prover, K to the verifier; l) sending, bythe verifier, a challenge integer c to prover; m) combining, by theprover, c, k, and w to form a response integer v; n) sending, by theprover, v to the verifier; and o) combining, by the verifier, cG, K, andW using the form of the prover's modulus p and checking to see if thecombination is equal to vG, if so the user is identified as the user,otherwise the user is not identified as the user.
 2. A method ofgenerating a digital signature, comprising the steps of: a) selecting amodulus p from the group of equations consisting of:p=(2^(dk)−2^(ck)−1)/r, where 0<2c<=d, where r/=1, and where GCD(c,d)=1;p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r, where d is even, andwhere k is not equal to 2 (mod 4); p=(2^(dk)−2^(ck)−1)/r, where3d<6c<4d, and where GCD(c,d)=1; p=(2^(dk)−2^(ck)+1)/r, where 0<2c<=d,where r/=1, and where GCD(c,d)=1; and p=(2^(4k)−2^(3k)+2^(2k)+1)/r; b)selecting an elliptic curve E and an order q; c) selecting a basepointG; d) generating a private key w; e) generating a public key W=wG; f)distributing p, E, q, G, and W in an authentic manner; g) retrieving, bya signer, the signer's private key w; h) generating, by the signer, aprivate integer k; i) combining, by the signer, k and G to form K usingthe form of the prover's modulus p; j) combining, by the signer, K and amessage M to form an integer h; k) combining by the signer, h, k, and wto form an integer s; and l) sending, by the signer, M and (K,s) as adigital signature of M.
 3. The method of claim 1, further including thesteps of: a) retrieving, by the verifier, the prover's public key W; b)receiving, by the verifier, M and (K,s); c) combining, by the verifier,K and M to form an integer h; and d) combining, by the verifier, h, k,and W using the form of the prover's modulus p and checking to see ifthe combination is equal to sG, if so then the digital signature isverified, otherwise the digital signature is not verified.
 4. A methodof generating a digital signature, comprising the steps of: a) selectinga modulus p from the group of equations consisting of:p=(2^(dk)−2^(ck)−1)/r, where 0<2c<=d, where r/=1, and where GCD(c,d)=1;p=(2^(dk)−2^((d−1)k)+2^((d−2)k)−. . . −2^(k)+1)/r, where d is even, andwhere k is not equal to 2 (mod 4); p=(2^(dk)−2^(ck)−1)/r, where3d<6c<4d, and where GCD(c,d)=1; p=(2^(dk)−2^(ck)+1)/r, where 0<2c<=d,where r/=1, and where GCD(c,d)=1; and p=(2^(4k)−2^(3k)+2^(2k)+1)/r; b)selecting an elliptic curve E and an order q; c) selecting a basepointG; d) generating a private key w; e) generating a public key W=wG; f)distributing p, E, q, G, and W in an authentic manner; g) retrieving, bya signer, the signer's private key w; h) generating, by the signer, aprivate integer k; i) combining, by the signer, k and G to form K usingthe form of the prover's modulus p; j) combining, by the signer, K and amessage M to form an integer h; k) combining by the signer, h, k, and wto form an integer s; and l) sending, by the signer, M and (h,s) as adigital signature of M.
 5. The method of claim 4, further including thesteps of: a) retrieving, by the verifier, the prover's public key W; b)receiving, by the verifier, M and (h,s); c) combining, by the verifier,h, W, and sG using the form of the prover's modulus p to form K; d)combining, by the verifier, K and M to form an integer h′; and e)checking, by the verifier, that h is equal to h′, if so then the digitalsignature is verified, otherwise the digital signature is not verified.